Verified Commit acf8a71d authored by p.jbowden's avatar p.jbowden
Browse files

upgrade snet-abac-server and fix up policies

- upgrade to latest snet-abac-server with SSE integration in
  docker-compose files
- fix up abac policies, tested locally
- keep sse policy disabled for now so it had no effect on live
  deployment
parent fdfe9ab7
Pipeline #263614 passed with stages
in 1 minute and 28 seconds
......@@ -2,7 +2,7 @@ version: '3'
services:
abac-server:
image: docker.gitlab.gwdg.de/snet-asclepios-demo/dockerfiles/somnonetz/snet-abac-server:latest
image: docker.gitlab.gwdg.de/snet-asclepios-demo/dockerfiles/somnonetz/snet-abac-server@sha256:f00bb06639274728cd74a41513ce11785a56bd4c8bda5e9d28e2d0b06c22b002
container_name: abac-server
entrypoint: ./run.sh
environment:
......
<?xml version="1.0" encoding="UTF-8"?>
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="42ee7eee-1559-4920-83c5-4a5aadb0969c"
PolicyId="8f80736f-02fb-4be5-bcb3-a17136f1cbcc"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description><![CDATA[
Policy Id: 42ee7eee-1559-4920-83c5-4a5aadb0969b
Policy Id: 8f80736f-02fb-4be5-bcb3-a17136f1cbcc
Policy Name: keytray-access-policy
Description: Manage access to data stored on the ASCLEPIOS Keytray service
]]></xacml3:Description>
......@@ -74,7 +74,7 @@
<!-- Policy Obligations -->
<xacml3:ObligationExpressions>
<ObligationExpression ObligationId="TrackingObligation:42ee7eee-1559-4920-83c5-4a5aadb0969c:permit" FulfillOn="Permit">
<ObligationExpression ObligationId="TrackingObligation:8f80736f-02fb-4be5-bcb3-a17136f1cbcc:permit" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="asclepios:obligation:decision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PERMIT</xacml3:AttributeValue>
</AttributeAssignmentExpression>
......@@ -82,13 +82,13 @@
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:id">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">42ee7eee-1559-4920-83c5-4a5aadb0969c</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">8f80736f-02fb-4be5-bcb3-a17136f1cbcc</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:name">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keytray-access-policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression ObligationId="TrackingObligation:42ee7eee-1559-4920-83c5-4a5aadb0969c:deny" FulfillOn="Deny">
<ObligationExpression ObligationId="TrackingObligation:8f80736f-02fb-4be5-bcb3-a17136f1cbcc:deny" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="asclepios:obligation:decision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DENY</xacml3:AttributeValue>
</AttributeAssignmentExpression>
......@@ -96,7 +96,7 @@
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:id">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">42ee7eee-1559-4920-83c5-4a5aadb0969c</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">8f80736f-02fb-4be5-bcb3-a17136f1cbcc</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:name">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keytray-access-policy</xacml3:AttributeValue>
......
<?xml version="1.0" encoding="UTF-8"?>
<xacml3:Policy
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="42ee7eee-1559-4920-83c5-4a5aadb0969c"
PolicyId="c96cf602-f3c0-44b0-b4b7-295cfa36244f"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description><![CDATA[
Policy Id: 42ee7eee-1559-4920-83c5-4a5aadb0969c
Policy Id: c96cf602-f3c0-44b0-b4b7-295cfa36244f
Policy Name: sse-access-policy
Description: Manage access to data stored on the ASCLEPIOS SSE service
]]></xacml3:Description>
<!-- Taget -->
<!-- Target -->
<xacml3:Target>
<AnyOf>
<AllOf>
......@@ -19,12 +19,8 @@
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">zuul.snet-apps.*</AttributeValue>
<AttributeDesignator AttributeId="http-header-host" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
<!-- <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/ta/api/v1/longrequest/</AttributeValue>
<AttributeDesignator AttributeId="http-req-url" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match> -->
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET|POST</AttributeValue>
<AttributeDesignator AttributeId="http-req-method" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
......@@ -78,7 +74,7 @@
<!-- Policy Obligations -->
<xacml3:ObligationExpressions>
<ObligationExpression ObligationId="TrackingObligation:42ee7eee-1559-4920-83c5-4a5aadb0969c:permit" FulfillOn="Permit">
<ObligationExpression ObligationId="TrackingObligation:c96cf602-f3c0-44b0-b4b7-295cfa36244f:permit" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="asclepios:obligation:decision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PERMIT</xacml3:AttributeValue>
</AttributeAssignmentExpression>
......@@ -86,13 +82,13 @@
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:id">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">42ee7eee-1559-4920-83c5-4a5aadb0969c</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">c96cf602-f3c0-44b0-b4b7-295cfa36244f</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:name">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sse-access-policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression ObligationId="TrackingObligation:42ee7eee-1559-4920-83c5-4a5aadb0969c:deny" FulfillOn="Deny">
<ObligationExpression ObligationId="TrackingObligation:c96cf602-f3c0-44b0-b4b7-295cfa36244f:deny" FulfillOn="Deny">
<AttributeAssignmentExpression AttributeId="asclepios:obligation:decision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DENY</xacml3:AttributeValue>
</AttributeAssignmentExpression>
......@@ -100,7 +96,7 @@
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Policy</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:id">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">42ee7eee-1559-4920-83c5-4a5aadb0969c</xacml3:AttributeValue>
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">c96cf602-f3c0-44b0-b4b7-295cfa36244f</xacml3:AttributeValue>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression AttributeId="asclepios:obligation:name">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">sse-access-policy</xacml3:AttributeValue>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment